cisco advanced malware protection (amp) for endpoints · cisco advanced malware protection (amp)...
TRANSCRIPT
Cisco Advanced Malware Protection(AMP) for Endpoints
Endpoints continue to be the primary point of entry for attacks!
65%of organizations say
attacks evaded existing
preventative tools
55%of organizations are
unable to determine
cause of breach
100DAYS
industry average time
to detection
70% of breaches start on endpoint devicesWHY?
Gaps in protection Gaps in visibility
What's the difference between
Next-Gen Endpoint Security
vs
Traditional Antivirus
Nyetya, Petyam, WannaCry and other sophisticated ransomware
100DAYS
industry average time
to detection
➢ The WannaCry attack took advantage of a recently-patched Windows
vulnerability to spread via the network, and then dropped previously-unseen
malware that encrypted users' files.
➢ This shows that a comprehensive security program, that covers everything from
your users' behavior to what enters your organization via email or web to how
your endpoints are protected, is critical.
Cisco AMP Protects across the Full Attack Continuum
AV Engine
Command line Visibility
Exploit Prevention
Machine Learning
Indications of Compromise
Malicious Activity Protection
File Reputation
Threat Analytics
Actionable Reporting
Malicious Activity Protection (or MAP)defends your endpoints from ransomware attacks
Identifies malicious
actions of processes
when they execute
Stops them from
encrypting your data
Observes the behavior of
running processes File
Reputation
AMP for Endpoints
File-Less Attacks
Prevention!
“
”
AMP for Endpoints - Exploit Prevention to Stop File-Less Attacks
Cisco AMP for Endpoints now introduces “exploit prevention” capabilities that
will defend your endpoints from file-less attacks that use memory injection on
unpatched software vulnerabilities.
These types of attacks include:
▪ Web-borne attacks, such as Java exploits that use shellcode to run payload
▪ Malicious Adobe and Office document files
▪ Malicious sites containing Flash, Silverlight and Javascript attacks
▪ Vulnerabilities exploited by file-less and non-persistent malware
▪ Zero-day attacks on software vulnerabilities yet to be patched
▪ Ransomware, Trojans, or macros using in-memory techniques
AMP for Endpoints - Exploit Prevention to Stop File-Less Attacks
An example of how these work:
1. The user clicks a link in an email that they believe is from a trusted source (it isn’t)
2. This brings them to a website that looks legit (it isn’t)
3. The website loads Flash (which is the poster boy for vulnerabilities)
4. Flash opens PowerShell, which is a tool on every Windows operating system that can issue
commands through the command line interface (basically it can talk to things and tell them
what to do, all in memory).
5. PowerShell connects to the attacker’s command and control server, whereby it downloads
and runs a malicious script that searches for your data, finds it, and sends it to the attacker.
AMP for Endpoints - Exploit Prevention to Stop File-Less Attacks
When a user starts an application, it will load in Memory;
The AMP connector will allocate a new space in memory for the application. The allocation is performed
automatically, using a one-way randomization algorithm. This makes the memory unpredictable for
potential attackers.
The application processes will be pointed towards the newly allocated memory resources, however the
original allocated memory will be preserved and will function as a "decoy".
The application will now start running as usual. Malicious code, unaware of the memory change, will
attempt to use the original memory, triggering the decoy and therefore the AMP connector. The exploit
attack will be immediately killed and stored in the AMP console for forensic research.
SYSTEM MEMORYSYSTEM MEMORY AMP SPACE MEMORY
What happened to an endpoint?
1st
Where else is that malware?
2nd
What is it doing?
3rd
How do we stop it?
4th
WANT Cutting-Edge Solutions FOR YOUR BUSINESS?
SiEBEN will be happy to help you
www.sieben.solutions & www.pocketbiz.io & www.marera.io
Contact Us Now